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AMENDMENTS TO THE CLAIMS 

This listing of claims replaces all prior versions, and listings, of claims in the application: 
Listing of Claims: 

1. (Currently Amended) At a first network authority connected to a network 
environment, a super authority and one or more other network authorities also being connected 
to the network environment, each network authority configured to authenticate a subset of 
principals that access the network environment through different domains, A a method of 
authenticating a principal in a — the network environment , wherein the principal's account 
identifier is configured for authentication at a network authority from among the first network 
authority and the one or more other network authorities, the method comprising: 

receiving at aa - the first authority a login request from the principal, wherein the 
login request comprises an account identifier identifying the principal : 

transmitting the account identifier from the r e ceiving first authority to a -the super 
authority for identification of an authority that is authorized to authenticate the principal 
based on the account identifier ; and 

the first network authority receiving from the super authority an indication of a 
selected network authority, selected from among the first network authority and the one 
or more other network authorities, that is authorized to authenticate the principal based on 
the account identifier: and 

the first network authority transferring the login request to the selected network 
authority for processing, even if the selected network authority is one of the one or more 
other network authorities 
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authenticating the principal at the r e c e iving authority if a transmission is received 
at the receiving authority from the super authority indicating that the receiving authority 
is authorized to authenticate the principal, and otherwise abstaining from authentication 
of th e principal . 

2. (Original) The method according to claim 1, wherein the account identifier 
comprises a principal identifier and a namespace identifier. 

3. (Currently Amended) The method according to claim 1, wherein the first network 
authority authenticates the principal based on the first network authority being the selected 
network authority further comprising r e ceiving at th e r e c e iving authority from the sup e r 
authority a request to auth e nticat e a s econd principal bas e d on a login r e qu e st made by th e 
second principal, wh e r e in th e login r e quest mad e by the s e cond principal was made by the 
r e qu e sting principal to another authority other than th e receiving authority . 
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4. (Currently Amended) A system, comprising: 
system memory; 

one or more processors; and 

one or more recordable-type computer-readable media having stored there one 

computer-executable instructions of a controlling authority for identifying an authenticating 
authority for authenticating a principal for access to network resources , the controlling authority 
comprising: 

an identity catalo g, the identity catalog mapping at least one account ID of at least 
one principal to an identifier of a corresponding authenticating authority; and 

an authority resolution module for accessing the identity catalog to match the 
account ID based on the identity of the principal with a corresponding authenticating 
authority and for causing an authentication request to be directed to the corresponding 
authenticating authority. 

5. (Currently Amended) The system controlling authority according to claim 4, 
further comprising a network interface for passing the account ID to the authority resolution 
module and for receiving from the authority resolution module an authentication request directed 
to the corresponding authenticating authority. 

6. (Currently Amended) The system controlling authority according to claim 4, 
wherein the identity catalog maps a plurality of account IDs to a corresponding plurality of 
authenticating authorities. 



Page 4 of 16 



Application No. 10/667,582 

Amendment "A" dated February 16, 2007 

Reply to Office Action mailed November 17, 2006 

7. (Currently Amended) The system controlling authority according to claim 6, 
wherein each account ID comprises a namespace identifier, and wherein the plurality of account 
IDs comprises at least two account IDs having a common namespace identifier, wherein the at 
least two account IDs are mapped to at least two different respective ones of the plurality of 
authenticating authorities. 

8. (Currently Amended) The system controlling authority according to claim 6, 
wherein each account ID comprises a namespace identifier, and wherein the plurality of account 
IDs comprises at least two account IDs having different namespace identifiers, wherein the at 
least two account IDs are mapped to the same one of the plurality of authenticating authorities. 

9. (Currently Amended) The system controlling authority according to claim 6, 
wherein the content of the identity catalog is based at least in part on the organizational 
affiliation of principals within an entity. 

10. (Currently Amended) The system controlling authority according to claim 6, 
wherein the content of the identity catalog is based at least in part on the geographical location of 
principals. 
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1 1 . (Original) At a super authority connected to a network environment, an assigned 
authenticating authority and one or more other authenticating authorities also being connected to 
the network environment, each authenticating authority configured to authenticate of subset of 
principals that access the network environment through different domains, A a_method of 
controlling authentication of principals for access to network resources in a network 
environmen t, wherein the principal's account identifier is configured for authentication at an 
authenticating authority from among the assigned authenticating authority and the one or more 
other authenticating authorities, the method comprising: 

receiving at the super authority a request for an authenticating authority resolution 

from one of a plurality of authenticating authorities, wherein the request comprises an 

account ID of a principal to be authenticated; 

accessing an assignment mapping of that maps each account ID in a plurality of 

account IDs to a corresponding plurality of authenticating authorities that can be used to 

authenticate the account ID, the account ID comprising the identity of the principal a nd 

locating within th e mapping th e account ID of th e principal to b e authenticat e d ; 

locating within the mapping an identity of an assigned authenticating authority 

from among the one or more authenticating authorities that is mapped corresponds to the 

account ID of the principal to be authenticated; and 

causing an authentication request to be transmitted to the assigned authenticating 

authority located from among the one or more authenticating authorities, the assigned 

authenticating authority having been located using the principal's account ID , wherein 
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the request asks the assigned authenticating authority to authenticate the principal to be 
authenticat e d . 

12. (Original) The method according to claim 11, wherein each account ID 
comprises a namespace identifier, and wherein the plurality of account IDs comprises at least 
two account IDs having a common namespace identifier, wherein the at least two account IDs 
are mapped to at least two different respective ones of the plurality of authenticating authorities 
via the assignment mapping. 

13. (Original) The method according to claim 11, wherein each account ID 
comprises a namespace identifier, and wherein the plurality of account IDs comprises at least 
two account IDs having different namespace identifiers, wherein the at least two account IDs are 
mapped to the same one of the plurality of authenticating authorities via the assignment 
mapping. 

14. (Original) The method according to claim 11, further comprising altering the 
assignment mapping whereby an account ID previously mapped to a first authenticating 
authority is remapped to a second authenticating authority. 

15. (Original) The method according to claim 11, wherein the assignment mapping is 
based at least in part on the organizational affiliation of principals within an entity. 
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16. (Original) The method according to claim 11, wherein the assignment mapping is 
based at least in part on the geographical location of principals. 
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17. (Currently Amended) At a super authority connected to a network environment, 
an assigned authenticating authority and one or more other authenticating authorities also being 
connected to the network environment, each authenticating authority configured to authenticate 
of subset of principals that access the network environment through different domains, Aan 
apparatus for controlling authentication of principals for access to network resources in a 
network environment , wherein the principal's account identifier is configured for authentication 
at an authenticating authority from among the assigned authenticating authority and the one or 
more other authenticating authorities, the method comprising: 

means for receiving at the super authority a request for an authenticating authority 

resolution from one of a plurality of authenticating authorities, wherein the request 

comprises an account ID of a principal to be authenticated; 

means for accessing an assignment mapping ef -that maps each account ID and a 

plurality of account IDs to a corresponding plurality of authenticating authorities that can 

be used to authenticate the account ID, the account ID comprising the identity of the 

principal and for locating within the mapping th e account ID of a principal to bo 

authenticat e d ; 

means for locating within the mapping an identity of an assigned authenticating 
authority from among the one or more authenticating authorities that is mapped 
corresponds to the account ID of a the principal to be authenticated; and 

means for causing an authentication request to be transmitted to the assigned 
authenticating authorit y located from among the one or more authenticating authorities, 
the assigned authenticating authority having been located using the principal's account 
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ID , wherein the request invites the assigned authenticating authority to authenticate the 
principal to be authenticated . 

18. (Original) The apparatus according to claim 17, wherein each account ID 
comprises a namespace identifier, and wherein the plurality of account IDs comprises at least 
two account IDs having a common namespace identifier, wherein the at least two account IDs 
are mapped to at least two different respective ones of the plurality of authenticating authorities 
via the assignment mapping. 

19. (Original) The apparatus according to claim 17, wherein each account ID 
comprises a namespace identifier, and wherein the plurality of account IDs comprises at least 
two account IDs having different namespace identifiers, wherein the at least two account IDs are 
mapped to the same one of the plurality of authenticating authorities via the assignment 
mapping. 

20. (Original) The apparatus according to claim 17, further comprising means for 
altering the assignment mapping whereby an account ID previously mapped to a first 
authenticating authority is remapped to a second authenticating authority. 
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21. (Currently Amended) At a super authority connected to a network environment, 
an assigned authenticating authority and one or more other authenticating authorities also being 
connected to the network environment, each authenticating authority configured to authenticate 
of subset of principals that access the network environment through different domains, A a 
recordable-type computer-readable medium having thereon computer-executable instructions for 
performing a method of controlling authentication of principals for access to network resources 
in a network environment , wherein the principal's account identifier is configured for 
authentication at an authenticating authority from among the assigned authenticating authority 
and the one or more other authenticating authorities, the method comprising the steps of: 

receiving at the super authority a request for an authenticating authority resolution 

from one of a plurality of authenticating authorities, wherein the request comprises an 

account ID of a principal to be authenticated; 

accessing an assignment mapping e f that maps each account ID and a plurality of 

account IDs to a corresponding plurality of authenticating authorities that can be used to 

authenticate the account ID, the account ID comprising the identity of the principal and 

locating within th e mapping the account ID of th e principal to b e authenticat e d ; 

locating within the mapping an identity of an assigned authenticating authority 

from among the one or more authenticating authorities that is mapped corresponds to the 

account ID of the principal to be authenticated; and 

causing an authentication request to be transmitted to the assigned authenticating 

authority located from among the one or more authenticating authorities, the assigned 

authenticating authority having been located using the principal's account ID , wherein 
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the request asks the assigned authenticating authority to authenticate the principal te-be 

22. (Currently Amended) The recordable-type computer-readable medium according 
to claim 21, wherein each account ID comprises a namespace identifier, and wherein the 
plurality of account IDs comprises at least two account IDs having a common namespace 
identifier, wherein the at least two account IDs are mapped to at least two different respective 
ones of the plurality of authenticating authorities via the assignment mapping. 

23. (Currently Amended) The recordable-type computer-readable medium according 
to claim 21, wherein each account ID comprises a namespace identifier, and wherein the 
plurality of account IDs comprises at least two account IDs having different namespace 
identifiers, wherein the at least two account IDs are mapped to the same one of the plurality of 
authenticating authorities via the assignment mapping. 

24. (Currently Amended) The recordable-type computer-readable medium according 
to claim 21, wherein the assignment mapping is based at least in part on the organizational 
affiliation of principals within an entity. 

25. (Currently Amended) The recordable-type computer-readable medium according 
to claim 21, wherein the assignment mapping is based at least in part on the geographical 
location of principals. 
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